Quick Start

Basic scan

cloud-audit scan

Uses your default AWS credentials and region. You get a health score, attack chains, and findings.

With remediation details

cloud-audit scan -R

Shows AWS CLI commands and Terraform HCL to fix each finding.

Specific profile and regions

cloud-audit scan --profile production --regions eu-central-1,eu-west-1

Generate reports

# HTML report (client-ready, dark mode)
cloud-audit scan --format html --output report.html

# SARIF for GitHub Code Scanning
cloud-audit scan --format sarif --output results.sarif

# Markdown for PR comments
cloud-audit scan --format markdown --output report.md

Format is auto-detected from the file extension.

Export fixes as a script

cloud-audit scan --export-fixes fixes.sh

The script uses set -e with every command commented out. Review, uncomment what you want, and run.

Cross-account scanning

cloud-audit scan --role-arn arn:aws:iam::987654321098:role/auditor

Filter results

cloud-audit scan --min-severity high          # Only HIGH and CRITICAL
cloud-audit scan --categories security        # Only security checks
cloud-audit scan --quiet                      # Exit code only (CI/CD)

Exit codes

Code	Meaning
0	No findings (after suppressions and severity filter)
1	Findings detected
2	Scan error (bad credentials, invalid config)